GDPR summary.

1. Controller and processor roles

HermesAI acts as a controller for website, account, billing, and direct business operations. For newsroom content and user data processed on behalf of customer organizations, HermesAI may also act as a processor under the customer's instructions.

2. Legal bases

Depending on the activity, HermesAI may rely on:

• contract performance for account access and subscription delivery,
• legitimate interests for service security and operational integrity,
• legal obligations for billing or compliance records,
• consent where required for optional communications or future tracking features.

3. Data subject rights

Data subjects may have rights to:

• access their personal data,
• correct inaccurate data,
• request deletion where no overriding basis exists,
• restrict or object to certain processing,
• receive portable copies where applicable,
• complain to a supervisory authority.

4. Requests

GDPR-related requests should be sent to the HermesAI privacy contact listed on the Contact page. When HermesAI acts only as a processor, requests may need to be coordinated with the customer organization that controls the data.

5. Transfers and subprocessors

HermesAI uses third-party providers for authentication, billing, AI processing, object storage, and operational infrastructure. Where those providers act as subprocessors or importers, the relevant provider terms and customer contract govern the transfer safeguards.

6. Retention and minimization

HermesAI applies data minimization and retains data according to the role each record plays in account management, billing, security, support, and newsroom workflow operations.

7. Requests involving customer workspaces

When HermesAI acts only as a processor for a customer organization, requests involving newsroom workspace data may need to be handled with that customer. HermesAI supports that process through tenant-scoped access controls, audit records, and customer-specific contract terms.